Friday, April 01, 2011

The Federal Trade Commission announced on March 30th that it settled with Google over the rollout of its Buzz service. The FTC alleged deceptive trade practices under Section 5 for the enrollment of users without their explicit consent in violation of Google’s own privacy policy. The enforcement action highlights the importance of aligning privacy policies with privacy practices. The enforcement action is also the first substantive enforcement of the US-EU Department of Commerce Safe Harbor.

The FTC complaint explains how Google rolled out its Buzz service to its Gmail users with a splash screen that introduced them to Google Buzz, a social networking service allowing users to share updates much like any other social networking service. The users were given two options: “Sweet! Check out Buzz” or “Nah, go to my inbox.” (The screenshots are included in the exhibits to the complaint.) The complaint further explains that even if users selected “Nah, go to my inbox,” the users could be followed by others who were enrolled in Buzz, their public profiles could appear in the profiles of others who had enrolled, and could be automatically enrolled if they later clicked on the Buzz link in their inbox, among other issues. In short, the FTC alleges that users were enrolled in a product without their explicit consent or an explanation of how their actions may affect their public profiles.

These actions, however, conflicted with Google’s statements on its privacy policy. Google’s privacy policy states that it would not use personal information in a manner other than for the purposes for which the information was initially collected or as later consented to by the user, as Google was required to do under the EU Safe Harbor and probably the FTC Toysmart settlement. Therefore, the FTC concludes that the automatic enrollment of users in the Buzz program in the absence of an explicit consent while representing that Google would get the user’s consent was a deceptive trade practice.

A.the extent to which respondent maintains and protects the privacy and confidentiality of any covered information, including, but not limited to, misrepresentations related to: (1) the purposes for which it collects and uses covered information, and (2) the extent to which consumers may exercise control over the collection, use, or disclosure of covered information.

B.the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other entity, including, but not limited to, the U.S.-EU Safe Harbor Framework.

The settlement agreement shares attributes of the previous settlement agreements that FTC reached with Sears, Twitter, and others. It requires Google to implement a proactive privacy program, one that is reminiscent of privacy by design. For example, the program must identify reasonably foreseeable material risks and the sufficiency of safeguards to control those risks. Google is subject to the usual 20 year biennial audit requirements. Additionally, the FTC requires that Google disclose to the user any sharing of user’s identified information in a document separate from its privacy policy, terms of use, or EULA and obtain express consent from those users. This type of disclosure, which the FTC first required in the Sears enforcement action, is likely to be carried on to other FTC privacy enforcement actions.

The FTC Google Buzz enforcement action is also the first substantive Safe Harbor enforcement. FTC’s first enforcement action against Balls of Kryptonite was more focused on fees, service, and shipment policies of an ecommerce merchant than privacy. The second set of Safe Harbor settlements were technical violations of the Safe Harbor. Six companies represented that they were part of the Safe Harbor when their certifications had expired years ago. However, the Google Buzz enforcement action represents the next stage. Google failed to live up to the Notice and Choice Principles of the Safe Harbor, with which it promised to comply.

The enforcement action also stands in distinction with the FTC’s unwillingness to take any action against Google regarding the Wi-Fi gate. While the FTC closed the Wi-Fi gate without an enforcement action, to my knowledge, it is the first privacy regulator to act on the Buzz issues. On the other hand, the French Data Protection Authority recently imposed a €100,000 fine on the same issue. However, considering that Google’s actions took place not on a website, but in a car, the FTC may instead be allowing the State Attorneys General to take a closer look at that issue.

Finally, I would like to take issue with Google’s use of “Sweet! Check out Buzz” and “Nah, go to my inbox” to attempt to allow users to accept or decline an offer. Agreements need not always be replete with legalese. Google was not required to state “I hereby represent that I have read and agreed to the Terms and Conditions of Google Buzz and would like my profile to be public and shared with others and any information to be used for any other purpose represented in the Google Buzz Privacy Policy” in the splash page. Even if it had, due to its practices, it would still have likely violated the Section 5 of the FTC Act. However, Google’s use of such fluffy provisions are not the most effective means of forming agreements online nor of informing users about their rights. One can agree to an offer in many ways, including using the word awesome!, but proving this assent in a court of law may be challenging.

In conclusion, the FTC Google Buzz enforcement action provides an interesting mix of issues by throwing together privacy by design, the EU Safe Harbor, aligning privacy policies with privacy practices, and enforcement of agreements online.

This web site provides general information about our firm for your convenience. This website and its content do not establish an attorney/client relationship between us. Information on the site is not legal advice.
Do not send confidential information to any of our lawyers without first obtaining our permission.